Add support for adding LDAP admins based on user/group DNs (#2178)

Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
2022-07-20 18:27:11 -07:00
parent c501df927b
commit 251de9fe8a
20 changed files with 1125 additions and 38 deletions
--- a/operatorapi/embedded_spec.go
+++ b/operatorapi/embedded_spec.go
@@ -1704,6 +1704,48 @@ func init() {
        }
      }
    },
+    "/namespaces/{namespace}/tenants/{tenant}/set-administrators": {
+      "post": {
+        "tags": [
+          "OperatorAPI"
+        ],
+        "summary": "Set the consoleAdmin policy to the specified users and groups",
+        "operationId": "SetTenantAdministrators",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "namespace",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "name": "tenant",
+            "in": "path",
+            "required": true
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/setAdministratorsRequest"
+            }
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "A successful response."
+          },
+          "default": {
+            "description": "Generic error response.",
+            "schema": {
+              "$ref": "#/definitions/error"
+            }
+          }
+        }
+      }
+    },
    "/namespaces/{namespace}/tenants/{tenant}/usage": {
      "get": {
        "tags": [
@@ -4005,6 +4047,23 @@ func init() {
        }
      }
    },
+    "setAdministratorsRequest": {
+      "type": "object",
+      "properties": {
+        "group_dns": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "user_dns": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
    "state": {
      "type": "object",
      "properties": {
@@ -4274,9 +4333,6 @@ func init() {
        "diskCapacityGB": {
          "type": "string"
        },
-        "fsGroup": {
-          "type": "string"
-        },
        "image": {
          "type": "string"
        },
@@ -6400,6 +6456,48 @@ func init() {
        }
      }
    },
+    "/namespaces/{namespace}/tenants/{tenant}/set-administrators": {
+      "post": {
+        "tags": [
+          "OperatorAPI"
+        ],
+        "summary": "Set the consoleAdmin policy to the specified users and groups",
+        "operationId": "SetTenantAdministrators",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "namespace",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "name": "tenant",
+            "in": "path",
+            "required": true
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/setAdministratorsRequest"
+            }
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "A successful response."
+          },
+          "default": {
+            "description": "Generic error response.",
+            "schema": {
+              "$ref": "#/definitions/error"
+            }
+          }
+        }
+      }
+    },
    "/namespaces/{namespace}/tenants/{tenant}/usage": {
      "get": {
        "tags": [
@@ -9397,6 +9495,23 @@ func init() {
        }
      }
    },
+    "setAdministratorsRequest": {
+      "type": "object",
+      "properties": {
+        "group_dns": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "user_dns": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
    "state": {
      "type": "object",
      "properties": {
@@ -9666,9 +9781,6 @@ func init() {
        "diskCapacityGB": {
          "type": "string"
        },
-        "fsGroup": {
-          "type": "string"
-        },
        "image": {
          "type": "string"
        },
--- a/operatorapi/operations/operator_api.go
+++ b/operatorapi/operations/operator_api.go
@@ -175,6 +175,9 @@ func NewOperatorAPI(spec *loads.Document) *OperatorAPI {
 		AuthSessionCheckHandler: auth.SessionCheckHandlerFunc(func(params auth.SessionCheckParams, principal *models.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation auth.SessionCheck has not yet been implemented")
 		}),
+		OperatorAPISetTenantAdministratorsHandler: operator_api.SetTenantAdministratorsHandlerFunc(func(params operator_api.SetTenantAdministratorsParams, principal *models.Principal) middleware.Responder {
+			return middleware.NotImplemented("operation operator_api.SetTenantAdministrators has not yet been implemented")
+		}),
 		OperatorAPISetTenantLogsHandler: operator_api.SetTenantLogsHandlerFunc(func(params operator_api.SetTenantLogsParams, principal *models.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation operator_api.SetTenantLogs has not yet been implemented")
 		}),
@@ -355,6 +358,8 @@ type OperatorAPI struct {
 	OperatorAPIPutTenantYAMLHandler operator_api.PutTenantYAMLHandler
 	// AuthSessionCheckHandler sets the operation handler for the session check operation
 	AuthSessionCheckHandler auth.SessionCheckHandler
+	// OperatorAPISetTenantAdministratorsHandler sets the operation handler for the set tenant administrators operation
+	OperatorAPISetTenantAdministratorsHandler operator_api.SetTenantAdministratorsHandler
 	// OperatorAPISetTenantLogsHandler sets the operation handler for the set tenant logs operation
 	OperatorAPISetTenantLogsHandler operator_api.SetTenantLogsHandler
 	// OperatorAPISetTenantMonitoringHandler sets the operation handler for the set tenant monitoring operation
@@ -585,6 +590,9 @@ func (o *OperatorAPI) Validate() error {
 	if o.AuthSessionCheckHandler == nil {
 		unregistered = append(unregistered, "auth.SessionCheckHandler")
 	}
+	if o.OperatorAPISetTenantAdministratorsHandler == nil {
+		unregistered = append(unregistered, "operator_api.SetTenantAdministratorsHandler")
+	}
 	if o.OperatorAPISetTenantLogsHandler == nil {
 		unregistered = append(unregistered, "operator_api.SetTenantLogsHandler")
 	}
@@ -888,6 +896,10 @@ func (o *OperatorAPI) initHandlerCache() {
 		o.handlers["GET"] = make(map[string]http.Handler)
 	}
 	o.handlers["GET"]["/session"] = auth.NewSessionCheck(o.context, o.AuthSessionCheckHandler)
+	if o.handlers["POST"] == nil {
+		o.handlers["POST"] = make(map[string]http.Handler)
+	}
+	o.handlers["POST"]["/namespaces/{namespace}/tenants/{tenant}/set-administrators"] = operator_api.NewSetTenantAdministrators(o.context, o.OperatorAPISetTenantAdministratorsHandler)
 	if o.handlers["PUT"] == nil {
 		o.handlers["PUT"] = make(map[string]http.Handler)
 	}
--- a/operatorapi/operations/operator_api/set_tenant_administrators.go
+++ b/operatorapi/operations/operator_api/set_tenant_administrators.go
@@ -0,0 +1,88 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2022 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package operator_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime/middleware"
+
+	"github.com/minio/console/models"
+)
+
+// SetTenantAdministratorsHandlerFunc turns a function with the right signature into a set tenant administrators handler
+type SetTenantAdministratorsHandlerFunc func(SetTenantAdministratorsParams, *models.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn SetTenantAdministratorsHandlerFunc) Handle(params SetTenantAdministratorsParams, principal *models.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// SetTenantAdministratorsHandler interface for that can handle valid set tenant administrators params
+type SetTenantAdministratorsHandler interface {
+	Handle(SetTenantAdministratorsParams, *models.Principal) middleware.Responder
+}
+
+// NewSetTenantAdministrators creates a new http.Handler for the set tenant administrators operation
+func NewSetTenantAdministrators(ctx *middleware.Context, handler SetTenantAdministratorsHandler) *SetTenantAdministrators {
+	return &SetTenantAdministrators{Context: ctx, Handler: handler}
+}
+
+/* SetTenantAdministrators swagger:route POST /namespaces/{namespace}/tenants/{tenant}/set-administrators OperatorAPI setTenantAdministrators
+
+Set the consoleAdmin policy to the specified users and groups
+
+*/
+type SetTenantAdministrators struct {
+	Context *middleware.Context
+	Handler SetTenantAdministratorsHandler
+}
+
+func (o *SetTenantAdministrators) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		*r = *rCtx
+	}
+	var Params = NewSetTenantAdministratorsParams()
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		*r = *aCtx
+	}
+	var principal *models.Principal
+	if uprinc != nil {
+		principal = uprinc.(*models.Principal) // this is really a models.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
--- a/operatorapi/operations/operator_api/set_tenant_administrators_parameters.go
+++ b/operatorapi/operations/operator_api/set_tenant_administrators_parameters.go
@@ -0,0 +1,151 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2022 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package operator_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"io"
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/validate"
+
+	"github.com/minio/console/models"
+)
+
+// NewSetTenantAdministratorsParams creates a new SetTenantAdministratorsParams object
+//
+// There are no default values defined in the spec.
+func NewSetTenantAdministratorsParams() SetTenantAdministratorsParams {
+
+	return SetTenantAdministratorsParams{}
+}
+
+// SetTenantAdministratorsParams contains all the bound params for the set tenant administrators operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters SetTenantAdministrators
+type SetTenantAdministratorsParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+
+	/*
+	  Required: true
+	  In: body
+	*/
+	Body *models.SetAdministratorsRequest
+	/*
+	  Required: true
+	  In: path
+	*/
+	Namespace string
+	/*
+	  Required: true
+	  In: path
+	*/
+	Tenant string
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewSetTenantAdministratorsParams() beforehand.
+func (o *SetTenantAdministratorsParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	if runtime.HasBody(r) {
+		defer r.Body.Close()
+		var body models.SetAdministratorsRequest
+		if err := route.Consumer.Consume(r.Body, &body); err != nil {
+			if err == io.EOF {
+				res = append(res, errors.Required("body", "body", ""))
+			} else {
+				res = append(res, errors.NewParseError("body", "body", "", err))
+			}
+		} else {
+			// validate body object
+			if err := body.Validate(route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			ctx := validate.WithOperationRequest(context.Background())
+			if err := body.ContextValidate(ctx, route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			if len(res) == 0 {
+				o.Body = &body
+			}
+		}
+	} else {
+		res = append(res, errors.Required("body", "body", ""))
+	}
+
+	rNamespace, rhkNamespace, _ := route.Params.GetOK("namespace")
+	if err := o.bindNamespace(rNamespace, rhkNamespace, route.Formats); err != nil {
+		res = append(res, err)
+	}
+
+	rTenant, rhkTenant, _ := route.Params.GetOK("tenant")
+	if err := o.bindTenant(rTenant, rhkTenant, route.Formats); err != nil {
+		res = append(res, err)
+	}
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+// bindNamespace binds and validates parameter Namespace from path.
+func (o *SetTenantAdministratorsParams) bindNamespace(rawData []string, hasKey bool, formats strfmt.Registry) error {
+	var raw string
+	if len(rawData) > 0 {
+		raw = rawData[len(rawData)-1]
+	}
+
+	// Required: true
+	// Parameter is provided by construction from the route
+	o.Namespace = raw
+
+	return nil
+}
+
+// bindTenant binds and validates parameter Tenant from path.
+func (o *SetTenantAdministratorsParams) bindTenant(rawData []string, hasKey bool, formats strfmt.Registry) error {
+	var raw string
+	if len(rawData) > 0 {
+		raw = rawData[len(rawData)-1]
+	}
+
+	// Required: true
+	// Parameter is provided by construction from the route
+	o.Tenant = raw
+
+	return nil
+}
--- a/operatorapi/operations/operator_api/set_tenant_administrators_responses.go
+++ b/operatorapi/operations/operator_api/set_tenant_administrators_responses.go
@@ -0,0 +1,113 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2022 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package operator_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+
+	"github.com/minio/console/models"
+)
+
+// SetTenantAdministratorsNoContentCode is the HTTP code returned for type SetTenantAdministratorsNoContent
+const SetTenantAdministratorsNoContentCode int = 204
+
+/*SetTenantAdministratorsNoContent A successful response.
+
+swagger:response setTenantAdministratorsNoContent
+*/
+type SetTenantAdministratorsNoContent struct {
+}
+
+// NewSetTenantAdministratorsNoContent creates SetTenantAdministratorsNoContent with default headers values
+func NewSetTenantAdministratorsNoContent() *SetTenantAdministratorsNoContent {
+
+	return &SetTenantAdministratorsNoContent{}
+}
+
+// WriteResponse to the client
+func (o *SetTenantAdministratorsNoContent) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(204)
+}
+
+/*SetTenantAdministratorsDefault Generic error response.
+
+swagger:response setTenantAdministratorsDefault
+*/
+type SetTenantAdministratorsDefault struct {
+	_statusCode int
+
+	/*
+	  In: Body
+	*/
+	Payload *models.Error `json:"body,omitempty"`
+}
+
+// NewSetTenantAdministratorsDefault creates SetTenantAdministratorsDefault with default headers values
+func NewSetTenantAdministratorsDefault(code int) *SetTenantAdministratorsDefault {
+	if code <= 0 {
+		code = 500
+	}
+
+	return &SetTenantAdministratorsDefault{
+		_statusCode: code,
+	}
+}
+
+// WithStatusCode adds the status to the set tenant administrators default response
+func (o *SetTenantAdministratorsDefault) WithStatusCode(code int) *SetTenantAdministratorsDefault {
+	o._statusCode = code
+	return o
+}
+
+// SetStatusCode sets the status to the set tenant administrators default response
+func (o *SetTenantAdministratorsDefault) SetStatusCode(code int) {
+	o._statusCode = code
+}
+
+// WithPayload adds the payload to the set tenant administrators default response
+func (o *SetTenantAdministratorsDefault) WithPayload(payload *models.Error) *SetTenantAdministratorsDefault {
+	o.Payload = payload
+	return o
+}
+
+// SetPayload sets the payload to the set tenant administrators default response
+func (o *SetTenantAdministratorsDefault) SetPayload(payload *models.Error) {
+	o.Payload = payload
+}
+
+// WriteResponse to the client
+func (o *SetTenantAdministratorsDefault) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.WriteHeader(o._statusCode)
+	if o.Payload != nil {
+		payload := o.Payload
+		if err := producer.Produce(rw, payload); err != nil {
+			panic(err) // let the recovery middleware deal with this
+		}
+	}
+}
--- a/operatorapi/operations/operator_api/set_tenant_administrators_urlbuilder.go
+++ b/operatorapi/operations/operator_api/set_tenant_administrators_urlbuilder.go
@@ -0,0 +1,124 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2022 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package operator_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+	"strings"
+)
+
+// SetTenantAdministratorsURL generates an URL for the set tenant administrators operation
+type SetTenantAdministratorsURL struct {
+	Namespace string
+	Tenant    string
+
+	_basePath string
+	// avoid unkeyed usage
+	_ struct{}
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *SetTenantAdministratorsURL) WithBasePath(bp string) *SetTenantAdministratorsURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *SetTenantAdministratorsURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *SetTenantAdministratorsURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/namespaces/{namespace}/tenants/{tenant}/set-administrators"
+
+	namespace := o.Namespace
+	if namespace != "" {
+		_path = strings.Replace(_path, "{namespace}", namespace, -1)
+	} else {
+		return nil, errors.New("namespace is required on SetTenantAdministratorsURL")
+	}
+
+	tenant := o.Tenant
+	if tenant != "" {
+		_path = strings.Replace(_path, "{tenant}", tenant, -1)
+	} else {
+		return nil, errors.New("tenant is required on SetTenantAdministratorsURL")
+	}
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *SetTenantAdministratorsURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *SetTenantAdministratorsURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *SetTenantAdministratorsURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on SetTenantAdministratorsURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on SetTenantAdministratorsURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *SetTenantAdministratorsURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}
--- a/operatorapi/tenants.go
+++ b/operatorapi/tenants.go
@@ -128,6 +128,15 @@ func registerTenantHandlers(api *operations.OperatorAPI) {
 		return operator_api.NewUpdateTenantSecurityNoContent()
 	})

+	// Set Tenant Administrators
+	api.OperatorAPISetTenantAdministratorsHandler = operator_api.SetTenantAdministratorsHandlerFunc(func(params operator_api.SetTenantAdministratorsParams, session *models.Principal) middleware.Responder {
+		err := getSetTenantAdministratorsResponse(session, params)
+		if err != nil {
+			return operator_api.NewSetTenantAdministratorsDefault(int(err.Code)).WithPayload(err)
+		}
+		return operator_api.NewSetTenantAdministratorsNoContent()
+	})
+
 	// Tenant identity provider details
 	api.OperatorAPITenantIdentityProviderHandler = operator_api.TenantIdentityProviderHandlerFunc(func(params operator_api.TenantIdentityProviderParams, session *models.Principal) middleware.Responder {
 		resp, err := getTenantIdentityProviderResponse(session, params)
@@ -912,6 +921,58 @@ func getUpdateTenantIdentityProviderResponse(session *models.Principal, params o
 	return nil
 }

+func getSetTenantAdministratorsResponse(session *models.Principal, params operator_api.SetTenantAdministratorsParams) *models.Error {
+	ctx, cancel := context.WithCancel(params.HTTPRequest.Context())
+	defer cancel()
+	opClientClientSet, err := cluster.OperatorClient(session.STSSessionToken)
+	if err != nil {
+		return restapi.ErrorWithContext(ctx, err)
+	}
+	// get Kubernetes Client
+	clientSet, err := cluster.K8sClient(session.STSSessionToken)
+	if err != nil {
+		return restapi.ErrorWithContext(ctx, err)
+	}
+	k8sClient := &k8sClient{
+		client: clientSet,
+	}
+	opClient := &operatorClient{
+		client: opClientClientSet,
+	}
+
+	minTenant, err := getTenant(ctx, opClient, params.Namespace, params.Tenant)
+	if err != nil {
+		return restapi.ErrorWithContext(ctx, err)
+	}
+	minTenant.EnsureDefaults()
+
+	svcURL := GetTenantServiceURL(minTenant)
+	// getTenantAdminClient will use all certificates under ~/.console/certs/CAs to trust the TLS connections with MinIO tenants
+	mAdmin, err := getTenantAdminClient(
+		ctx,
+		k8sClient,
+		minTenant,
+		svcURL,
+	)
+	if err != nil {
+		return restapi.ErrorWithContext(ctx, err)
+	}
+	// create a minioClient interface implementation
+	// defining the client to be used
+	adminClient := restapi.AdminClient{Client: mAdmin}
+	for _, user := range params.Body.UserDNS {
+		if err := restapi.SetPolicy(ctx, adminClient, "consoleAdmin", user, "user"); err != nil {
+			return restapi.ErrorWithContext(ctx, err)
+		}
+	}
+	for _, group := range params.Body.GroupDNS {
+		if err := restapi.SetPolicy(ctx, adminClient, "consoleAdmin", group, "group"); err != nil {
+			return restapi.ErrorWithContext(ctx, err)
+		}
+	}
+	return nil
+}
+
 func getTenantSecurityResponse(session *models.Principal, params operator_api.TenantSecurityParams) (*models.TenantSecurityResponse, *models.Error) {
 	ctx, cancel := context.WithCancel(params.HTTPRequest.Context())
 	defer cancel()